Major ASP.Net Security Issue?

[Keith]

I have found what I believe to be a serious security
issue in ASP.Net. If you have:

1. Your website configured for anonymous access
2. Elect under web.config to set the sessionstate
attribute of cookieless to true

Anyone from any IP address or across another browser can
copy the URL and work within the session. My question
is "Why doesn't ASP.Net provide an option around ensuring
all requests for a user session originate from the same
IP address and/or same useragent?" I know that some
people sit behind firewalls, proxies and layer 4 devices
that could load balance and affect HTTP traffic, but it
honestly escapes me why I can access my web application
on any machine inside or outside of my network with just
the sessionid in the URL from even different browsers.
There must be a way to control this in the
configuration. Am I alone in find this troubling?

[Ray at]

It seems to me that this would be listed as a predictable downside to using
cookieless sessions. Verifying IPs and/or user agents wouldn't be any real
way to avoid this, so it makes sense to me that this wouldn't be the default
behavior for asp.net to check that. And if it were to check it, where would
it store this info? In session variables? Hmmph.

--

Ray at home
Microsoft ASP MVP

"Keith" <keith@keithadler.com> wrote in message
news:77b601c3e87d$1c5144f0$a101280a@phx.gbl...

> I have found what I believe to be a serious security
> issue in ASP.Net. If you have:
>
> 1. Your website configured for anonymous access
> 2. Elect under web.config to set the sessionstate
> attribute of cookieless to true
>
> Anyone from any IP address or across another browser can
> copy the URL and work within the session. My question
> is "Why doesn't ASP.Net provide an option around ensuring
> all requests for a user session originate from the same
> IP address and/or same useragent?" I know that some
> people sit behind firewalls, proxies and layer 4 devices
> that could load balance and affect HTTP traffic, but it
> honestly escapes me why I can access my web application
> on any machine inside or outside of my network with just
> the sessionid in the URL from even different browsers.
> There must be a way to control this in the
> configuration. Am I alone in find this troubling?

[Paul Glavich]

We have used cookieless sessions and what you say is true, but we used SSL
to encrypt traffic, which as you know requires a connection to the same
client/server (ie. if connection broken, then the SSL session is invalid) so
this IP verification approach could still work but it assumes SSL, which of
course is really outside of ASP.NET's domain.

Further to this you could use client certs to verify integrity which
strictly doesn't stop people from hjacking a session (simply minimises it),
but there are just som many ways to approach this, each with positives and
negatives, that if the ASP.NET team adopted one approach, it would be
implicitly be advocating this one approach which may very well be flawed
under a number of different situations.

My 2 cents.

--
- Paul Glavich


"Keith" <keith@keithadler.com> wrote in message
news:77b601c3e87d$1c5144f0$a101280a@phx.gbl...

> I have found what I believe to be a serious security
> issue in ASP.Net. If you have:
>
> 1. Your website configured for anonymous access
> 2. Elect under web.config to set the sessionstate
> attribute of cookieless to true
>
> Anyone from any IP address or across another browser can
> copy the URL and work within the session. My question
> is "Why doesn't ASP.Net provide an option around ensuring
> all requests for a user session originate from the same
> IP address and/or same useragent?" I know that some
> people sit behind firewalls, proxies and layer 4 devices
> that could load balance and affect HTTP traffic, but it
> honestly escapes me why I can access my web application
> on any machine inside or outside of my network with just
> the sessionid in the URL from even different browsers.
> There must be a way to control this in the
> configuration. Am I alone in find this troubling?